Prepare the host system
(this is only done once)

  1. get the kernel source
  2. get the vserver patch
  3. get the vserver utilities
  4. compile your kernel
    1. kernel configuration
    2. patch and compile the kernel
  5. install your kernel
  6. reboot your machine
  7. Set up the general vserver directories including the barrier
  8. Make services not be greedy

get the kernel source

# apt-get install kernel-source-2.6.8
# cd /usr/src
# tar -jxf kernel-source-2.6.8.tar.bz2
It is actually better to use the 2.6.12 kernel than 2.6.8 as there are security updates and the vserver patch that is used for 2.6.12 is the stable version 2.0 release, also the util-vserver tools version has many bugs fixed.

To do this, temporarily add the following to your /etc/apt/sources.list:
deb http://ftp.debian.org/debian/ testing main non-free contrib
deb-src http://ftp.debian.org/debian/ testing main non-free contrib

Then do an apt-get update, and install the newer kernel-source:
# apt-get update
# apt-get -t testing install linux-source-2.6.12
# cd /usr/src
# tar -jxf linux-source-2.6.12.tar.bz2

get the vserver patch

# apt-get install kernel-patch-vserver
If you are going the recommended route of using the newer patch, then do the following instead:
# apt-get -t testing install kernel-patch-vserver

get the vserver utilities

If you are using Sarge, be sure to use the backported version of util-vserver that is available in the riseup apt repository. You can do that by adding this line to your /etc/apt/sources.list:
deb http://deb.riseup.net/debian unstable main

Then run apt-get update, and then do:

# apt-get install util-vserver

If you are using testing or unstable, make sure you are getting a version of util-vserver that is of version 0.30.209 or newer.

compile your kernel

The instructions are located in /usr/share/doc/kernel-patch-vserver/README.Debian, but this is essentially how you do it...

kernel configuration

First, you need a kernel config file...
Dont have a kernel config? You can use the one that debian uses for their kernels and you will be almost certain that it will work, but it will take a really long time to compile (several hours) unless you remove some unnecessary things.

To get the debian 2.6.8 kernel config you can do the following:

# apt-cache search kernel-image-2.6.8 

Pick the kernel image that matches your architecture and multiplicity of processors (if you have more than one proc, choose one that has smp), then get the source as follows:

# cd /usr/src
# apt-get source kernel-image-2.6.8-2-686
# cd kernel-image-2.6.8-i386-2.6.8/config

Now copy the config file that matches your architecture into your kernel source directory:
# cp 686 /usr/src/kernel-source-2.6.8/.config

If you are using the 2.6.12 kernel source instead, the only way I know of to get the debian config file is to do:
# apt-cache search linux-image-2.6.12
(pick your architecture)
# apt-get install linux-image-2.6.12-1-686

Now copy the config file that was placed in /boot from the install of this package:
# cp /boot/config-2.6.12-1-686 /usr/src/linux-source-2.6.12/.config

Now you are going to want to remove the unstable lines from your /etc/apt/sources.list and then run apt-get update. Otherwise the next time you do an apt-get dist-upgrade you are going to upgrade to unstable, and that's bad. I would like to put instructions here on how to apt pin certain packages, or set the default release to "stable" so that this doesn't happen, but I need to remember how to do that.... if you know, tell me :)

From here on out you can follow the rest of the instructions as detailed, substituting 2.6.12 for 2.6.8.

Now you can either proceed straight from here using this config, or you can trim some of the unnecessary things out of the config (this will vastly reduce the length of the compile time, but is more dangerous because if you remove something that you shouldn't, then you will not be able to boot that new kernel). If you want to remove some unnecessary thigns (such as sound, firewire, usb, ISDN, telephony, blah blah blah), then do:

# cd /usr/src/kernel-source-2.6.8
# make menuconfig

Now uncheck all the unnecessary modules, devices, features etc. but becareful!

patch and compile the kernel

Now to actually patch and compile the kernel:
# cd /usr/src/kernel-source-2.6.8
# export PATCH_THE_KERNEL=YES
# make-kpkg --rootcmd fakeroot --revision custom01 --added-patches vserver --append-to-version +vserver --initrd binary-arch

install your kernel

# cd ..
# dpkg -i kernel-image-2.6.8+vserver_custom01_i386.deb
# dpkg -i kernel-headers-2.6.8+vserver_custom01_i386.deb

reboot your machine

# echo "everyone run for cover!" | wall
# shutdown -r now

Set up the general vserver directories including the barrier

The default base directory where your vservers will be put is defined as whatever /etc/vservers/.defaults/vdirbase symlinks to, this is called the vdirbase. When you install util-vserver it is set to /var/lib/vservers. You might not have enough space in /var for vservers, and want to put them elsewhere (a common place is /vservers), if you want to change your vdirbase you can simply rm /etc/vservers/.defaults/vdirbase and then symlink it to the new place (ln -s /vservers /etc/vservers/.defaults/vdirbase).

IMPORTANT
If you change the vdirbase, you must also change the permissions on that directory so it is impossible to escape from the vserver. You need to create the "chroot barrier" which forbids any writing actions and chroot escapes, this entire procedure can be done as follows:

# mkdir /vservers
# rm /etc/vservers/.defaults/vdirbase
# ln -s /vservers /etc/vservers/.defaults/vdirbase
# setattr --barrier /vservers

Make services not be greedy

All processes in the host system must bind to specific ip address. Otherwise, the vservers will not be able to see any traffic over a port which has been bound by a process in the host system.

By default the Debian sshd package starts by binding to the ip address 0.0.0.0, this is greedy and keeps you from installing ssh on your vservers. You need to limit the IP that your host uses for ssh to just the IP of the server itself. If you do not do this you will install ssh on your new vserver and try to ssh to it and only get the host, not your vserver. This also applies to other services, such as apache - you need to make these services Listen to only the IP of the server, otherwise they also Listen for all the vservers.

For ssh you can fix this by editting /etc/ssh/sshd_config and changing the line:

#ListenAddress 0.0.0.0

to

ListenAddress 69.90.134.201

(using the IP of your host of course) and then instruct sshd to reload its configuration:

# /etc/init.d/ssh restart

For apache change /etc/apache/httpd.conf to have:
Listen 216.162.197.194:8080

Are there any ports used on the host system which are still bound to all IP addresses? Check with:
# netstat -lp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address        Foreign Address  State   PID/Program 
tcp        0      0 *:www                *:*              LISTEN  26361/apache
tcp        0      0 ibis.riseup.net:ssh  *:*              LISTEN  607/sshd

Here we see that apache has www (port 80) bound to all addresses, but that sshd has ssh (port 22) bound correctly to a single ip.